Why would you hire a hacker?
As celebrities and high-profile companies come under fire from cybercriminals, EDGAR goes in search of those seeking out their services.May 24, 2015
“I would like to spy on WhatsApp conversations in real time on my girlfriend. Is it possible? Costs?” says Dingo from Italy. Budget: $100. “I need to boost my GPA in order to get into a prestigious university. Help me out!” Says aco676 from America. Budget: $2,000. “I am looking for someone to help totally remove a Google blog spot,” says Chazark from the Czech Republic. Budget: $200.
These requests are some of more than 2,000 posted on the site, hackerslist.com. The site isn’t hidden, and anyone with a Facebook profile can join and start posting requests straight away. Welcome to the age of hackers for hire.
Hackerlist.com is one of several new sites attempting to sate the demand for private individuals looking to keep tabs on their significant others, change their grades, and even make drink driving offences disappear from official records. As our lives become more digital, the ability to tweak and change things that were previously out of our reach has exploded.
This new age of cybercrime now costs the global economy more than $400 billion a year to combat according to the Centre for Strategic and International Studies. A report by McAfee meanwhile, suggests that the losses from cybercrime could cost as many as 200,000 jobs in the US alone through financial losses suffered by companies – and individuals – at the hands of the hackers.
The Love Letter virus, allegedly written by two young Filipino computer programmers named Reonel Ramones and Onel de Guzman cost $15 billion worth of damages worldwide when it was released in 2000.
Gary McKinnon (above) a Scottish hacker who carried out the “biggest military hack of all time” in 2001 when he breached nearly 100 computers deep inside the US military and NASA’s computer networks, did so from the comfort of the bedroom of his girlfriend’s auntie’s house.
But while these large-scale hacks receive the bulk of the media attention, there is an army of hackers for hire helping jilted lovers gain access to former loved ones’ computers, or students looking to alter test scores, all for cash. It’s anonymous, cheap and the tools to do it are now floating around online, waiting for anyone with a penchant for law breaking to give them a try.
Day in the life of a hacker
Cyb3r23 lives in the United States. On the surface, he appears to be a pretty normal guy. He works as an independent contractor fixing computers, he teaches mixed martial arts, likes to party and helps map public Wi-Fi networks on the weekend.
But cyb3r23 is also a hacker for hire. When not working or partying, he sells his services on Craigslist – a classified advertisements website popular in the United States. Anything from accessing social media accounts of significant others, to viewing financial records and accounts and even breaching government databases.
“I’ve been asked to do many things and have gone through with them all,” he says via email. “Most of the time it’s just jealous boyfriends and girlfriends trying to snoop on their significant other. Sometimes, it’s foreign companies trying to get consumer information and trade secrets of American companies. Nobody really cares, all sense of morality is pretty much gone online, as long as you get the payment.”
He can work on up to five projects at a time, depending on workload, and even offers one-to-one Skype calls with customers to talk through his findings. However, one particular case brought him and his clients a bit too close together.
Cyb3r23 had been hired to discover what his client’s wife’s lawyers had planned for him in divorce proceedings. What the hacker found however, was a lot more sinister. “He had a life insurance policy, for quite a lot of money, and she had been using Tor (an encrypted web browser) to access the deep web in order to try and find hit men.”
The hacker informed his client what was going on, who then confronted his estranged wife. She responded by hiring a hacker of her own to find out whom had been spying on her. “The guy couldn’t track me, but I took it personally and dished out personal justice to his computer,” says cyb3r23. As it transpired, the hit man the client’s wife was speaking to was an FBI sting operation, and cyb3r23 had to disappear from the scene or face scrutiny from the FBI.
I reached out to other hackers and heard similar stories of private individuals looking to gain the upper hand over friends and loved ones. “[A lot of people] ask if I can hack their SOs [significant others’] Facebook, or break into their phone/Skype etc,” says one hacker.
There are no real figures on how many hackers exist in the world today, but many believe that we are currently near the highest numbers ever seen. “I don’t think now is the high peak, it was probably back in 2011-2013 when Anonymous was on the news every night.”
But Dr Sandro Gaycken, a senior tech researcher at ESMT European School of Management and Technology, who is currently working for NATO on cyber security feels the past 12 months have seen an upturn in the sophistication and number of attacks. “We have more attackers, different attackers, a wider range of interests, and much more advanced attack methodologies and tactics.”
But why are there now so many hackers plying their trade online? “You can download tools and tutorials, but those will not enable you to hack into anything interesting. But militaries and criminals worldwide are working on that with educational initiatives, new organizational models and other tricks,” says Gaycken.
Criminal groups such as Lizard Squad, known for hacking into the PlayStation Network and Xbox Live servers stealing millions of email and account numbers of users, launched their own DDoS (Distributed Denial of Service) tool, allowing anyone to shutdown a website by flooding it with traffic for just $6.
With the lowering of the boundary between hackers and people looking to hire them, what’s being done to stop it?
“Too little and most of that is even wrong. We have no strategic approach to computer security yet. It’s a combination of tinkering, lies and prayers, really. Generic, cross-platform products are very ineffective when it comes to more advanced attackers,” says Gaycken.
“Much of these types of crimes are so widespread nowadays, it remains to be seen how much prosecutorial muscle will be put to investigating any of the password-cracking, database-breaching shenanigans,” said online security company Sophos on its blog, Naked Security.
While high profile cases such as Gary McKinnon did make it to mainstream news outlets, many others rarely, if ever see a courtroom. In the case of the Love Letter virus perpetrators, due to the Philippines not having any formal laws recognising the spread of computer viruses, both walked free.
In the UK, there isn’t anything illegal about websites offering services such as DDoS. While the site may be registered in one country, the infrastructure to carry out the act will be elsewhere, which makes these services particularly difficult to control and combat.
I ask cyb3r23 about his run-ins with the law. “I have never been caught but I’ve been close. I know three or four people who were running botnets and got caught and reported by their ISP (Internet Service Provider). I know a few others who were raided. Nothing really happened to them, they knew they’d been snitched on and just destroyed the evidence. The Feds can’t do much.”
However, the act of hacking is not entirely illegal. Many businesses hire hackers to fix security holes in the practice known as ‘ethical hacking’. The key distinction legally between ethical and criminal hacking is consent, says Rachel Atkins, a partner at Schillings, a reputation management firm.
While the picture in the press is often portrayed as businesses and individuals being senselessly attacked, a recent trend among companies and individuals is to go on the offensive themselves. In the case of the Sony PlayStation Network hack last year, tech site Recode reported that Sony had used hundreds of computers in Asia to initiate denial-of-service attacks on websites offering Sony’s stolen data to the public.
The business of hacking
Drug-dealers, hitmen and prostitution: welcome to the Dark Web
The computer glitch that could cause chaos
Turning defence into offence is a tactic that Gaycken says could help counter the rise of hackers for hire. Research conducted by KPMG in November 2014 revealed that half of UK companies would consider hiring a hacker with a criminal record to defend against attacks.
But while companies are beginning to sit up and take notice of the needs to protect themselves, individuals are increasingly going to be in the firing line of others with a grudge and money to spend on hackers for hire.